Accepting request 147965 from home:cboltz

- update to AppArmor 2.8.1 (=2.8 branch r2069)
  Bugfix release, http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_1
  Most important changes are:
  - add various missing parts to profiles and abstractions
  - fix a possible x conflict with hats or child profiles in 
    apparmor_parser
  - fix and speedup stdin handling in aa-decode
  - various other bugfixes
  - add pkgconfig support to libapparmor
- remove upstream(ed) patches

OBS-URL: https://build.opensuse.org/request/show/147965
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=27
This commit is contained in:
Christian Boltz 2013-01-10 19:32:25 +00:00 committed by Git OBS Bridge
parent 76780104ab
commit c33e50b1a0
9 changed files with 29 additions and 364 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:03e2e91fac17694635d25d7482e46db69320cd844590740073cf5fdfdd5379c6
size 1462560

View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEABECAAYFAk/HrnMACgkQgTeYuayTEnFRoACg0069+gY/ch0yFXmK5opivw0V
0/IAn01Dd7Ea2dMjGa/mBjJM5THOWMml
=pEkp
-----END PGP SIGNATURE-----

3
apparmor-2.8.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:875bc3b7c5f82f9d3310211ee5a52882f6d5860314bf529198312e49c22c0ae4
size 1520010

View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEABECAAYFAlDuVU4ACgkQgTeYuayTEnHWuACglQEWIpCjhJWmyX2D7pJVZEhm
PE0AoJ91WwkljwgTS8jEr/AXanuHq4PO
=8Td8
-----END PGP SIGNATURE-----

View File

@ -1,315 +0,0 @@
apparmor: add clearing the profile cache when inconsistent
Add the ability to clear out the binary profile cache. This removes the
need to have a separate script to handle the logic of checking and
removing the cache if it is out of date.
The parser already does all the checking to determine cache validity
so it makes sense to allow the parser to clear out inconsistent cache
when it has been instructed to update the cache.
Signed-off-by: John Johnansen <john.johansen@canonical.com>
commited to AppArmor 2.8 branch r2054
(Note: the parser/apparmor_parser.pod patch was taken from another patch)
=== modified file 'parser/apparmor_parser.pod'
--- parser/apparmor_parser.pod 2012-02-24 12:21:59 +0000
+++ parser/apparmor_parser.pod 2012-08-07 22:41:32 +0000
@@ -138,6 +138,15 @@
is running with "--replace", it may make sense to also use
"--skip-read-cache" with the "--write-cache" option.
+=item --purge-cache
+
+Unconditionally clear out cached profiles.
+
+=item --skip-bad-cache
+
+Skip updating the cache if it contains cached profiles in a bad or
+inconsistant state
+
=item -L, --cache-loc
Set the location of the cache directory. If not specified the cache location
=== modified file 'parser/parser_main.c'
--- parser/parser_main.c 2012-07-17 23:00:53 +0000
+++ parser/parser_main.c 2012-08-09 07:37:25 +0000
@@ -24,6 +24,7 @@
#include <string.h>
#include <stdlib.h>
#include <stdarg.h>
+#include <stddef.h>
#include <getopt.h>
#include <errno.h>
#include <fcntl.h>
@@ -71,6 +72,8 @@
int skip_cache = 0;
int skip_read_cache = 0;
int write_cache = 0;
+int cond_clear_cache = 1; /* only applies if write is set */
+int force_clear_cache = 0; /* force clearing regargless of state */
int preprocess_only = 0;
int skip_mode_force = 0;
struct timespec mru_tstamp;
@@ -109,6 +112,8 @@
{"skip-read-cache", 0, 0, 'T'},
{"write-cache", 0, 0, 'W'},
{"show-cache", 0, 0, 'k'},
+ {"skip-bad-cache", 0, 0, 129}, /* no short option */
+ {"purge-cache", 0, 0, 130}, /* no short option */
{"cache-loc", 1, 0, 'L'},
{"debug", 0, 0, 'd'},
{"dump", 1, 0, 'D'},
@@ -151,6 +156,8 @@
"-K, --skip-cache Do not attempt to load or save cached profiles\n"
"-T, --skip-read-cache Do not attempt to load cached profiles\n"
"-W, --write-cache Save cached profile (force with -T)\n"
+ " --skip-bad-cache Don't clear cache if out of sync\n"
+ " --purge-cache Clear cache regardless of its state\n"
"-L, --cache-loc n Set the location of the profile cache\n"
"-q, --quiet Don't emit warnings\n"
"-v, --verbose Show profile names as they load\n"
@@ -527,6 +534,12 @@
case 'T':
skip_read_cache = 1;
break;
+ case 129:
+ cond_clear_cache = 0;
+ break;
+ case 130:
+ force_clear_cache = 1;
+ break;
case 'L':
cacheloc = strdup(optarg);
break;
@@ -1165,6 +1178,120 @@
return retval;
}
+static int dir_for_each(const char *dname,
+ int (* callback)(const char *, struct dirent *,
+ struct stat *)) {
+ struct dirent *dirent, *ent;
+ char *path = NULL;
+ DIR *dir = NULL;
+ int error;
+
+ dirent = malloc(offsetof(struct dirent, d_name) +
+ pathconf(dname, _PC_NAME_MAX) + 1);
+ if (!dirent) {
+ PDEBUG(_("could not alloc dirent"));
+ return -1;
+ }
+
+ PDEBUG("Opened cache directory \"%s\"\n", dname);
+ if (!(dir = opendir(dname))) {
+ free(dirent);
+ PDEBUG(_("opendir failed '%s'"), dname);
+ return -1;
+ }
+
+ for (error = readdir_r(dir, dirent, &ent);
+ error == 0 && ent != NULL;
+ error = readdir_r(dir, dirent, &ent)) {
+ struct stat my_stat;
+
+ if (strcmp(dirent->d_name, ".") == 0 ||
+ strcmp(dirent->d_name, "..") == 0)
+ continue;
+
+ if (asprintf(&path, "%s/%s", dname, dirent->d_name) < 0)
+ {
+ PDEBUG(_("Memory allocation error."));
+ goto fail;
+ }
+
+ if (stat(path, &my_stat)) {
+ PDEBUG(_("stat failed for '%s'"), path);
+ goto fail;
+ }
+
+ if (callback(path, dirent, &my_stat)) {
+ PDEBUG(_("dir_for_each callback failed\n"));
+ goto fail;
+ }
+
+ free(path);
+ path = NULL;
+ }
+
+ free(dirent);
+ closedir(dir);
+ return error;
+
+fail:
+ error = errno;
+ free(dirent);
+ free(path);
+ closedir(dir);
+ errno = error;
+
+ return -1;
+}
+
+static int clear_cache_cb(const char *path, __unused struct dirent *dirent,
+ struct stat *ent_stat)
+{
+ /* remove regular files */
+ if (S_ISREG(ent_stat->st_mode))
+ return unlink(path);
+
+ /* do nothing with other file types */
+ return 0;
+}
+
+static int clear_cache_files(const char *path)
+{
+ char *cache;
+ int error;
+
+ if (asprintf(&cache, "%s/cache", path) == -1) {
+ perror("asprintf");
+ exit(1);
+ }
+
+ error = dir_for_each(cache, clear_cache_cb);
+
+ free(cache);
+
+ return error;
+}
+
+static int create_cache(const char *path, const char *features)
+{
+ FILE * f = NULL;
+
+ f = fopen(path, "w");
+ if (f) {
+ if (fwrite(features, strlen(features), 1, f) != 1 )
+ goto fail;
+
+ fclose(f);
+ }
+
+ return 0;
+fail:
+ if (show_cache)
+ PERROR("Cache write disabled: cannot create %s\n", path);
+ write_cache = 0;
+
+ return -1;
+}
+
static void setup_flags(void)
{
char *cache_features_path = NULL;
@@ -1198,30 +1325,23 @@ static void setup_flags(void)
get_flags_string(&cache_flags, cache_features_path);
if (cache_flags) {
if (strcmp(flags_string, cache_flags) != 0) {
- if (show_cache) PERROR("Cache read/write disabled: %s does not match %s\n", FLAGS_FILE, cache_features_path);
- write_cache = 0;
- skip_read_cache = 1;
+ if (write_cache && cond_clear_cache) {
+ if (clear_cache_files(basedir) ||
+ create_cache(cache_features_path,
+ flags_string)) {
+ skip_read_cache = 1;
+ }
+ } else {
+ if (show_cache)
+ PERROR("Cache read/write disabled: %s does not match %s\n", FLAGS_FILE, cache_features_path);
+ write_cache = 0;
+ skip_read_cache = 1;
+ }
}
free(cache_flags);
cache_flags = NULL;
- }
- else if (write_cache) {
- FILE * f = NULL;
- int failure = 0;
-
- f = fopen(cache_features_path, "w");
- if (!f) failure = 1;
- else {
- if (fwrite(flags_string, strlen(flags_string), 1, f) != 1 ) {
- failure = 1;
- }
- if (fclose(f) != 0) failure = 1;
- }
-
- if (failure) {
- if (show_cache) PERROR("Cache write disabled: cannot write to %s\n", cache_features_path);
- write_cache = 0;
- }
+ } else if (write_cache) {
+ create_cache(cache_features_path, flags_string);
}
free(cache_features_path);
@@ -1251,6 +1371,11 @@ int main(int argc, char *argv[])
return retval;
}
+ if (force_clear_cache) {
+ clear_cache_files(basedir);
+ exit(0);
+ }
+
/* Check to make sure there is an interface to load policy */
if (!(UNPRIVILEGED_OPS) && (subdomainbase == NULL) &&
(retval = find_subdomainfs_mountpoint())) {
=== modified file 'parser/tst/caching.sh'
--- parser/tst/caching.sh 2012-03-09 12:25:03 +0000
+++ parser/tst/caching.sh 2012-08-09 07:37:25 +0000
@@ -93,12 +93,41 @@
../apparmor_parser $ARGS -v -r $basedir/$profile | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; }
echo "ok"
-echo -n "Cache writing is skipped when features do not match cache: "
+echo -n "Cache writing is skipped when features do not match and not cleared: "
rm $basedir/cache/$profile
-../apparmor_parser $ARGS -v --write-cache -r $basedir/$profile | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; }
+../apparmor_parser $ARGS -v --write-cache --skip-bad-cache -r $basedir/$profile | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; }
[ -f $basedir/cache/$profile ] && echo "FAIL ($basedir/cache/$profile exists)" && exit 1
echo "ok"
+rm -f $basedir/cache/.features || true
+rm -f $basedir/cache/$profile || true
+echo -n "monkey" > $basedir/cache/.features
+echo -n "monkey" > $basedir/cache/$profile
+echo -n "monkey" > $basedir/cache/monkey
+../apparmor_parser $ARGS -v --write-cache -r $basedir/$profile | grep -q 'Replacement succeeded for' || { echo "Cache clear setup FAIL"; exit 1; }
+echo -n "Cache clear updates features: "
+echo -n "monkey" | diff -q $basedir/cache/.features - | grep -q 'differ' || { echo "FAIL"; exit 1; }
+echo "ok"
+echo -n "Cache clear writes updated profile: "
+echo -n "monkey" | diff -q $basedir/cache/$profile - | grep -q 'differ' || { echo "FAIL"; exit 1; }
+echo "ok"
+echo -n "Cache clear cleans out all files: "
+[ -f $basedir/cache/monkey ] && { echo "FAIL"; exit 1; }
+echo "ok"
+
+rm -f $basedir/cache/monkey
+rm -f $basedir/cache/.features || true
+rm -f $basedir/cache/$profile || true
+echo -n "monkey" > $basedir/cache/.features
+echo -n "monkey" > $basedir/cache/$profile
+echo -n "monkey" > $basedir/cache/monkey
+echo -n "Cache purge remove profiles unconditionally: "
+../apparmor_parser $ARGS -v --purge-cache -r $basedir/$profile || { echo "Cache clear setup FAIL"; exit 1; }
+[ -f $basedir/cache/.features ] && { echo "FAIL"; exit 1; }
+[ -f $basedir/cache/$profile ] && { echo "FAIL"; exit 1; }
+[ -f $basedir/cache/monkey ] && { echo "FAIL"; exit 1; }
+echo "ok"
+
echo -n "Profiles are cached when requested (again): "
rm -f $basedir/cache/.features || true
rm -f $basedir/cache/$profile || true

View File

@ -1,11 +0,0 @@
=== modified file 'profiles/apparmor.d/abstractions/bash'
--- profiles/apparmor.d/abstractions/bash 2010-12-20 20:29:10 +0000
+++ profiles/apparmor.d/abstractions/bash 2012-08-05 15:46:47 +0000
@@ -40,5 +40,5 @@
# run out of /etc/bash.bashrc
/etc/DIR_COLORS r,
- /bin/ls mix,
+ /{usr/,}bin/ls mix,
/usr/bin/dircolors mix,

View File

@ -1,13 +0,0 @@
=== modified file 'profiles/apparmor.d/bin.ping'
--- profiles/apparmor.d/bin.ping 2010-08-05 19:00:02 +0000
+++ profiles/apparmor.d/bin.ping 2012-07-01 11:05:38 +0000
@@ -10,7 +10,7 @@
# ------------------------------------------------------------------
#include <tunables/global>
-/bin/ping {
+/{usr/,}bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Jan 10 10:57:40 UTC 2013 - opensuse@cboltz.de
- update to AppArmor 2.8.1 (=2.8 branch r2069)
Bugfix release, http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_1
Most important changes are:
- add various missing parts to profiles and abstractions
- fix a possible x conflict with hats or child profiles in
apparmor_parser
- fix and speedup stdin handling in aa-decode
- various other bugfixes
- add pkgconfig support to libapparmor
- remove upstream(ed) patches
-------------------------------------------------------------------
Mon Dec 3 20:58:04 UTC 2012 - opensuse@cboltz.de

View File

@ -1,7 +1,7 @@
#
# spec file for package apparmor
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -43,7 +43,7 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Version: 2.8.0
Version: 2.8.1
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
@ -65,18 +65,9 @@ Patch1: apparmor-enable-profile-cache.diff
# include autogenerated profile sniplet for samba shares (bnc#688040)
Patch2: apparmor-samba-include-permissions-for-shares.diff
# usrMerge /bin/ping -> /usr/bin/ping (commited upstream 2012-08-10 - trunk r2062)
Patch3: apparmor-profiles-usrmove-bin-ping.diff
# usrMerge /bin/ls -> /usr/bin/ls in abstractions/bash (commited upstream 2012-08-05 - trunk r2061, 2.8 branch r2053)
Patch4: apparmor-profiles-usrmove-abstractions-bash.diff
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch5: apparmor-utils-string-split
# clear and update inconsistent profile cache (bnc#774529), patch from upstream (2.8 branch r2054)
Patch6: apparmor-parser-fix-broken-cache.diff
# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
Patch12: apparmor-2.5.1-edirectory-profile
@ -416,10 +407,7 @@ SubDomain.
%setup -q
%patch1 -p1
%patch2 -p0
%patch3 -p0
%patch4 -p0
%patch5 -p1
%patch6 -p0
%patch12 -p1
# only create Immunix::SubDomain perl module for openSUSE <= 12.1
@ -504,7 +492,8 @@ make -C profiles
%install
# libapparmor
%makeinstall -C libraries/libapparmor
# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0
%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/
# create symlink for old change_hat(2) manpage
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
@ -625,6 +614,7 @@ fi
%{_libdir}/libimmunix.a
%{_libdir}/libapparmor.so
%{_libdir}/libimmunix.so
/usr/%{_lib}/pkgconfig/libapparmor.pc
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz